Equation Group hack tool set

Hunt Hypothesis

The Equation Group hack tool set is associated with advanced persistent threats and may indicate the presence of sophisticated malware or espionage activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term compromise and mitigate advanced threat actors leveraging known Equation Group tools.

YARA Rule

rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 {
   meta:
      description = "Equation Group hack tool set"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-09"
      hash1 = "614bf159b956f20d66cedf25af7503b41e91841c75707af0cdf4495084092a61"
   strings:
      $s1 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii
      $s2 = "0123456789abcdefABCEDF:" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled system maintenance task
  Description: A scheduled task using the Equation Group tool (e.g., eqg.exe) is run as part of a routine system maintenance or patching process.
  Filter/Exclusion: Exclude processes initiated by a known maintenance task scheduler (e.g., Task Scheduler with a specific task name like SystemMaintenance) or check for presence of a known legitimate command-line argument (e.g., --maintenance).

• Scenario: Admin using Equation Group for forensic analysis
  Description: A security or IT admin is using the Equation Group tool (e.g., eqg.exe) for forensic analysis or incident response in a controlled environment.
  Filter/Exclusion: Exclude processes running under a known admin account (e.g., Administrator) with a specific command-line argument (e.g., --forensic), or check for presence of a known forensic tool signature.

• Scenario: Legitimate software update or deployment tool
  Description: A third-party software update or deployment tool (e.g., Equation Group-based tool) is used to deploy patches or updates across the enterprise.
  Filter/Exclusion: Exclude processes that match known update tools (e.g., eqg_update.exe) or are executed from a known enterprise software repository path (e.g., C:\Tools\Updates\).

• Scenario: User running Equation Group for custom script execution
  Description: A user is executing a script or command using the Equation Group tool (e.g., eqg.exe) to perform a custom administrative task, such as log file analysis.
  Filter/Exclusion: Exclude processes where the command-line includes a known legitimate script path or argument (e.g., --script C:\Scripts\log_analyzer.ps1), or check for user context (e